Hi, I enabled USB auditing using the guide displayed in the following link: http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage
It seems to be working well. However, I noticed one thing on Win2k based machines... The OSSEC service fails to start when it is enabled... Here is what is shown in the ossec.log on the Win2k machine ossec-agent: ERROR: Unable to execute command: 'reg QUERY HKLM\SYSTEM \CurrentControlSetEnum\USBSTOR'. I am guessing Win2k machines do not have this key. However, is there a way to make it ignore if the key doesn't exist so that the OSSEC service can continue to start? Or do I need to specify another class of OS type in my agent.conf? i.e. <agent_config os="Windows 2000"> Thanks in advance. George
